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MaTUALLY AUTHENTICATED SECURE KEY EXCHANGE (MASKE) 
BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

[0001] The invention includes cryptography. More 
particularly, an eimbodiment of the invention includes electric 
signal transmission and modification by particular algorithmic 
function encoding for secure key exchange to effectuate mutual 
identification and authentication, 

2 . Background Information 

[00021 Cryptography may be viewed as the process or skill 
of communicating in or deciphering secret writings or ciphers. 
To prevent anyone but the intended recipient from reading 
communicated data, plain text (cleartext) may be converted 
into ciphered text (cipher text) through a cryptography 
procedure referred to as encryption. Forming the basis of 
network security, a common type of data encryption includes 
public-key encryption. 

[0003] Public-key encryption (PKE or "public-key 
cryptography") may be an encryption scheme where each 
participant receives a pair of keys, called the public key and 
the private key. Each public key may be published while each 
private key may be kept secret. Using the public key of a 
message's intended recipient, the message to that intended 
recipient may be encrypted so that it may only be decrypted by 
the intended recipient using that participant's private key. 
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Public-key encryption may be used for authentication, 
confidentiality, integrity, and non-repudiation. 
[0004] As with most cryptography discussions, the 
descriptions in this patent naake use of two actors, namely 
Alice and Bob, who are trying to conduct secure communications 
before the watchful eyes of passive eavesdropper. Eve, and 
without the interference of malicious active attacker (or man- 
in- the-middle) , Mallory, Most public key exchange algorithms 
involve Alice (client) sending Bob (server) a data packet and 
Bob sending Alice a data packet, where each may combine the 
parts included in the data packets to generate a single-use, 
shared session key, and then prove to each other that the 
shared key is valid. 

[0005] The first public-key encryption scheme was patented 
by Martin Hellman, Bailey Diffie, and Ralph Merkle in 1980 as 
U.S. 4,2 00,77 0- Through the Hellman-Dif f ie-Merkle key 
exchange (conventionally the Dif f ie-Hellman key exchange) , the 
need for the sender and the receiver to share secret 
information (private keys) via some secure channel may be 
eliminated since all exchanged communications involve only 
public keys, and no private key need be transmitted or shared. 
[0006] Although the Dif f ie-Hellman key exchange may 
establish a communication channel secure from eavesdropping, 
the Dif f ie-Hellman key exchange is subject to man-in- the- 
middle attacks. That is, an interloper such as Mallory may 
dispose himself between Bob and Alice and pretend to be Alice 
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to Bob and pretend to be Bob to Alice. This may occur since 
the Dif f ie-Hellman key exchange fails to identify or 
authenticate to Bob that Alice may be really Alice, or vice 
versa. Since Mallory may dispose himself between Bob and 
Alice, Mallory may decrypt, examine, and reencrypt passing 
data packets without the knowledge of Bob or Alice. 
[0007] As an alternative to positioning himself as an 
interloper, Mallory may eliminate Bob from the picture and 
emulate or "spoof" his identity. After Mallory establishes a 
secure channel with Alice, the spoofing Mallory may continue 
the communication with Alice until he receives a privileged 
piece of information, such as a password, or has delivered a 
virus or Trojan horse to Alice's system. 

[0008] To overcome the limitations of the Dif f ie-Hellman 
key exchange, U.S. 5,241,599, known as Encrypted Key Exchange 
(EKE) , modifies Dif f ie-Hellman by encrypting at least one of 
Bob and Alice's public keys with a secret password that may be 
known to both Alice and Bob prior to transmission over a 
network. However, for EKE to work, the shared secret password 
must be stored as cleartext within the server Bob. An 
augmentation of U.S. 5,241,599 (Augmented EKE protocol or A- 
EKE) employs a one-way hash of the user's password as the 
encryption key in the Dif f ie-Hellman variant of EKE. The user 
then sends an extra message based on the original password. 
This message may authenticate the newly chosen session key. 
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[00091 Simple Password Exponential Key Exchange (SPEKE) , 
developed by Integrity Sciences of Westboro, Massachusetts, 
modifies Encrypted Key Exchange (EKE) to guard against 
dictionary attacks by storing shared secret passwords as a 
specially computed derivative that may not be equivalent or 
reversible to the original plaintext of the shared secret 
passwords. An attacker may not be able to use a captured 
password database directly to compromise the targeted host, 
less secure implementation of SPEKE allows the host to store 
the passwords as cleartext. Secure Remote Password (SRP) 
protocol, developed by Stanford University of Stanford, 
California, is another password authentication and key- 
exchange protocol along the same lines as SPEKE. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
[0010] Figure 1 illustrates a list of synobols used in the 
below discussion and their corresponding description; 
[0011] Figure 2 illustrates one session of Dif f ie-Hellman 
key exchange 200; 

[0012] Figure 3 illustrates one session of Dif f ie-Hellman 
key verification 300 of Dif f ie-Hellman key exchange 200 of 
Figure 2; 

[0013] Figure 4 illustrates two-way random number exchange 
400; 

[0014] Figure 5 illustrates session 500 of the invention; 
[00151 Figure 6 illustrates session 600 of the invention; 
[0016] Figure 7 illustrates an embodiment of the invention 
employed in Internet 700; and 

[0017] Figure 8 shows one example of conventional computer 
system 800 that may be used with the invention. 
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DETAILED DESCRIPTION OF THE INVENTION 
[0018] As with most cryptography discussions, the below 
description makes use of two actors, namely Alice and Bob. 
Alice and Bob are trying to conduct secure communications 
before the watchful eyes of passive eavesdropper, Eve, and 
without the interference of malicious active attacker (or man- 
in- the-middle) , Mai lory. 

[0019] Figure 1 illustrates a list of symbols used in the 
below discussion and their corresponding description. Some 
assumptions regarding the use of these symbols are employed in 
this patent. For example, it is assumed that Bob and Alice 
use the same combining function /( ). When either Bob or 
Alice decrypt a transmission, it is assumed that the 
transmission was unaffected by noise or the like and that the 
decryption itself worked as intended. It is assumed that 
Alice and Bob employ the same modulo variables a and fi. 

Moreover, it is assumed that Alice and Bob actually share each 
other's secret password. 

[0020] Since embodiments of the invention may employ 
aspects of the Dif f ie-Hellman key exchange and 2 -Way Random 
Number Exchange, these protocols will be discussed in 
connection with Figure 2, Figure 3, and Figure 4. 
[0021] Figure 2 illustrates one session of conventional 
Dif f ie-Hellman key exchange 200. In exchange 200, Alice 202 
may generate random number 206 and Bob 204 may generate 
random number R^ 208. Next, at steps 210 and 212, 
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respectively, Alice 202 and Bob 204 may use modulus 
exponentiation on their respective private keys 206 and 
2 08 to derive keys that will be publicly exchanged. 
[0022] Modular (mod) reduction focuses on the remainder or 
residue of the division of two integers. The operation b ~ a 
mod & denotes the residue b of congruent a, such that the 

residue b may be an integer from 0 to S - 1, where S may be 
the modulo. For example, thirteen divided by three equals 
four, with a remainder of one. ThuS/ thirteen modulo three 
(13 mod 3) is equal to one (1 = 13 mod 3) , Similarly, sixteen 
modulo three is equal to one (1 = 15 mod 3), there being five 
remainder one after sixteen is divided by three. Likewise, 
nineteen modulo three also is equal to one (1 = 19 mod 3) . 
[0023] Based on modular reduction, transmitting a residue 
of ''1" across an unsecured network will not directly reveal 
the congruent a (in the above example, 13, 16, or 19) . 

Employing very large numbers for the congruent a and the 

modulo iS (for example, greater than 200-bit numbers) works 
towards making it difficult for Mallory or Eve to detect the 

congruent a. Raising the congruent a to a random exponent 
(such as R^ or R^) makes it very difficult for Mallory or Eve 
to detect the congruent a. However, the recipient such as 
Alice or Bob will have that which may be needed to determine 
the congruent ot. 
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[0024] To generate public key 210, Alice 202 may set her 
public key M^^ 210 equivalent to constant parameter a raised to 

the exponential power of Alice's private, random key 206, 
modulo parameter iS. Alice 202 and Bob 204 are assumed to know 
the values of parameter a and parameter K. Similarly, to 
generate public key 212, Bob 204 may set his public key 
212 equivalent to constant parameter a raised to the 

exponential power of Bob's private, random key 208, modulo 
parameter g. Thus, 

= a\ mod iS (210) 

M3 = a'^B mod g (212) 

[0025] Alice 202 and Bob 204 may next exchange their 
generated public keys, Alice 202 may transmit her public key 

210 at step 214 to Bob 204 so that Bob 204 may generate 
Bob's version of the session key, here 215. On receiving 
Alice's public key 210, Bob 204 may employ modulus 
exponentiation at step 215 to generate Bob 204 's version of 
the session key as follows: 

K3 = (MJ'^B mod & (215) . 

[0026] Bob 204 may transmit his public key 212 at step 
218 to Alice 2 02 so that Alice 2 02 may generate her own 
version of the session key, here 22 0, for her own use. On 
receiving Bob's public key M3 212, Alice 2 02 may employ at step 
220 a modulus exponentiation similar to the one used by Bob 
204 to generate her version of the session key as follows: 
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= {mj\ mod & (220) . 

[0027] At step 222, Alice 202 may continue with session 
keys to allow two way transmission 224 and Bob 204 may 
continue at step 226 with session keys to allow two way 
transmission 228. two way transmission 228 may be a two way 
encrypted transmission. Where each of two way transmission 
224 and two way transmission 228, two way transmission 230 may 
be continuously opened between Alice 202 and Bob 204. 
[0028] Two way transmission 224 and two way transmission 
228 may be allowed where session keys 220 and Kg 216 are 
identical. Session keys 220 and 216 may be identical 
because Alice 202 combined and and Bob 204 combined and 
Rg, each in a particular mathematical way, where the public 
half of the keys and were based on common parameters, 
namely parameter a and parameter i^. Session keys 220 and 

216 may be private to Alice 2 02 and Bob 2 04 in connection with 
particular session 200 since only Alice 202 and Bob 204 know 
of the particular mathematical formula and the parameters used 
in that formula. 

[0029] Although session keys 220 and 216 may be 
identical, this may not always be the case. If there is a 
mistake in transmission 214 or 218 over transmission lines 203 
or if Mallory substitutes one of his data packets for a 
transmitted data packet, 220 and 216 may not match such 
that K3 • K^. If K3 • K^, Alice 202 and Bob 2 04 do not share a 
common secret session key. To ensure that Bob's version of 
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the session key and Alice's version of the session key match, 
a key verification phase may be performed. 
[0030] Figure 3 illustrates one session of conventional 
Dif f ie-Hellman key verification 300 of Dif f ie-Hellman key 
exchange 200 of Figure 2. In verification 3 00, Alice 2 02 may 
generate random number 302 and Bob 204 may generate random 
number 3 04. Random number 3 02 and random number 304 
may serve as verification nonces for session 300. A nonce may 
be a random number made and used briefly for a special 
purpose, such as validating one particular instance of session 
300. At step 306, Alice 202 may encrypt random number 3 02 
with Alice's version of session key 22 0 to obtain 
ciphertext . 

[0031] Encryption of a number may be represented in this 
patent by parentheses disposed about the number, where the 
parentheses include a subscript letter of encryption, in step 
3 06 the letter K^. The subscript "A" to the letter K may 
indicate that the encrypting key 220 is Alice's ("A") 
version of the session key ("K")* At step 308, Alice 202 may 
transmit encrypted random number (N^)k^ 306 to Bob 204. 

[0032] Once Bob 204 receives the packet of random number 
302 encrypted to Alice's key 220 (namely, encrypted to 
K^) , Bob 204 may decrypt encrypted random number (N^)k;^ 306 with 

Bob's version of the session key 216 at step 310 to extract 

random number 310. Under most circumstances, 310 will 
equal 302. 
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[0033] Decryption by a key may be represented in this 
patent by parentheses disposed about the encrypted quantity, 
where the parentheses may include the decryption superscript 
of negative one and the decryption key subscript letter, in 
step 310 the letter K^. For Dif f ie-Hellman key verification 
300 to work. Bob 2 04 must apply the same symmetrical 
encryption algorithm for his step 310 decryption as that 
applied by Alice 202 in encryption step 306. Thus, Dif f ie- 
Hellman key verification 300 assumes that Bob 2 04 and Alice 
202 share the same symmetrical encryption algorithm, 
10034] Next, at step 312, Bob 204 increments Alice's random 
number 310 by one. At step 314, Bob 204 may encrypt as a 
string both Bob's random number 304 and Bob^s increment 312 
of Alice's random number 310 with Bob's version of the 
session key 216. This may be written as 

N,+ l),^ (314) . 

At Step 316, Bob 204 may transmit encrypted string (N,, N,+l), 

a A Kg 

314 to Alice 202. 

[0035] At step 318, Alice 2 02 may decrypt encrypted string 
N^+1)kb 314 to obtain Bob's random number 32 0 and to 

obtain Bob's increment of Alice's random number N 322. Alice 

A 

202 then may increment Bob's random number 320 at step 324 
to obtain N^+l 324, encrypt the increment of Bob's random 
number 324 at step 326, and transmit encrypted packet 326 at 
step 328 to Bob 204. At step 330, Bob 204 may decrypt packet 
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326 received from Alice 202 to obtain Alice's increment of 
Bob's random number 330. 

[00361 Since both parties possess their original random 
number and the increments generated and transmitted by the 
other party, each originator may verify that the result they 
received from the other party is the correct increment of 
their original randomly generated nonce. 

[0037] At step 332, Alice 202 may verify that Bob 204 did 
in fact correctly increment Alice's random number 302 by 
determining at step 332 whether incremented random number N^+1 
322 received from Bob 204 over transmission 316 less its 
increment is equal to Alice's random number 302. 
[0038] If incremented random number N^+1 322 less its 
increment is not equal to Alice's random number 302, Alice 
202 may terminate session 3 00 at step 334. If incremented 
random number N^+1 322 less its increment is equal to Alice's 
random number 302, then Alice 202 has verified that Bob's 
version of the session key, K^, is equal to Alice's version of 
the session key, (namely, Kg = K^) . Alice 202 then may 
continue with session 300 at step 336 to allow two way 
transmission 338. 

[0039] At step 340. Bob 204 may verify that Alice 202 did 
in fact correctly increment Bob's random number 304 by 
determining at step 340 whether incremented random number N^+l 
330 received from Alice 202 over transmission 328 less its 
increment is equal to Bob's random number 304. 
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[0040] If incremented random number N^+l 33 0 less its 
increment is not equal to Bob's random number Ng 324, Bob 204 
may terminate session 300 at step 342. If incremented random 
number N3+I 330 less its increment is equal to Bob's random 
number 304, then Bob 202 has verified that Alice's version 
of the session key, K^, is equal to Bob's version of the 
session key, (namely, - KJ . Bob 2 04 then may continue 
with session 300 at step 344 to allow two way transmission 
346. 

[0041] At the point where both two way transmission 338 and 
two way transmission 346 are allowed, two way transmission 348 
may be continuously opened between Alice 202 and Bob 204. 
Each of two way transmission 338, two way transmission 346, 
and two way transmission 348 may be two way encrypted 
transmissions . 

[0042] Figure 4 illustrates two-way random number exchange 
400. Two-way random number exchange 400 assumes that password 

406 equals password 414. Each party to two-way random 
number exchange 400 then works to satisfy themselves that the 
other person knows the password in their own possession. In 
other words, the protocol of two-way random number exchange 
400 in Figure 4 works towards proving to Bob 404 that Alice 
402 knows password P^ 414 (which is in the possession of Bob 
404) , and likewise works towards proving to Alice 402 that Bob 
404 knows password P^ 406 (which is in the possession of Alice 
402) . 
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[0043] To begin, Alice 402 may store password 406 as 
associated with identity 408 at step 410. Identity 408 may 
represent Alice 402, herself ("userid = Alice")- At step 412, 
server Bob 404 may store password 414 as associated with 
identity 416 in a secure location. This storage may occur 
long before the remainder of session 400. Identity 416 may 
represent Alice 402, herself ("userid = Alice"). Where 
password P^ 406 as associated with identity 408 in fact equals 
password P^ 414 as associated with identity 416, password P^ 
406 and password P^ 414 may be referred to as a shared 
password. Where this shared password is only known to Alice 
402 and Bob 404, the shared password may be referred to as a 
shared secret password. 

[0044] In two-way random number exchange 400, Alice 402 may 
generate random number 418 at step 418 and Bob 404 may 
generate random number 42 0 at step 420. At step 422, Alice 
402 may transmit identity 408 and service request 424 to Bob 
404. Passwords employed in the protocol of two-way random 
number exchange 400 are never sent over the network 403 in the 
clear. 

[0045] At step 424, Bob 404 may retrieve password P^ 414 and 
identity 416 based on received identity 408. At step 42 6, Bob 
404 may verify that identity 408 received from Alice 402 in 
transmission 422 equals identity 415. By itself, successful 
retrieval of identity 416 may validate the prior presence of 
Alice 402 on server Bob 404. If identity 408 does not equal 

Application 14 Attny Docket 04860P2441 



identity 416, Bob 404 may proceed to step 428 and stop 
transmission 403. If identity 408 does equal identity 416, 
Bob 404 may proceed to step 430. At step 430, Bob 404 may 
continue to step 438 since Alice 402 is identified to Bob 404. 
At step 438, Bob 404 may transmit random number 420 to Alice 
402. 

[0046] At step 440, Alice 402 may encrypt Bob's random 
number 42 0 with password 405. At step 442, Alice may 
transmit both Alice's random number 418 and the password 
encrypted nonce {N^)p^ 440 to Bob 404. 

[0047] Bob 404 may decrypt the ciphertext i\) 440 at step 

444 by employing password 414 as a key. This may permit Bob 
404 to verify that his generated random number 42 0 is equal 
to the decryption of Alice's password encrypted nonce (Nb)p^ 

440 received over transmission 442, such that 

(444). 

[0048] If false. Bob 404 may proceed to step 446 and stop 
transmission 403. If true. Bob 404 may continue with session 
400 at step 448 since Alice 402 is authenticated to Bob 404 by 
proving that password 406 is equal to password P^ 414. Once 
authenticated, Bob 404 may encrypt Alice's random number 418 
with the password Pg 414 at step 450. Bob 404 may then 
transmit encrypted package 450 to Alice 402 at step 452. 
Alice 402 may decrypt encrypted package 450 to verify at step 
454 that her generated random number N^^ 418 is equal to the 
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decryption of Bob's password encrypted nonce (N^) 450 such 
that 

N.- ((NJ,J\ (454). 

If false, Alice 402 may proceed to step 456 and stop 
transmission 403. If true Alice 402 may proceed to step 458 
and continue with session 400 since Bob 404 is now 
authenticated to Alice 402. To continue with session 400, 
Alice 402 may seek to continue with an unecrypted, two way 
transmissions at step 450 so as to receive from Bob 404 action 
on service request 424. 

[0049] After Bob 404 transmits encrypted package 450 to 
Alice 402 at step 452, Bob may continue with session 400 at 
step 462. Bob may continue with session 400 by seeking to 
establish two way communications with Alice 402 at step 464. 
If Alice 402 seeks to establish two way communications at step 
460 and Bob 404 seeks to establish two way communications at 
step 464, Alice 402 and Bob 404 may establish unencrypted, two 
way communication channel 466. 

[00501 Although the protocol of the Dif f ie-Hellman key 
exchange 200 of Figure 2 and verification 300 Figure 3 may 
establish a communication channel that may be secure from 
eavesdropping even where the constant parameters a and iS are 

known, this protocol is subject to man-in-the-middle attacks. 
That is, an interloper such as Mallory may dispose himself 
between Bob 2 04 and Alice 2 02 at transmission 2 03 of Figure 2 
or transmission 303 of Figure 3 and pretend to be Alice to Bob 
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and pretend to be Bob to Alice » The reason for this is that 
the Dif f ie-Hellman protocol 2 00 and 3 00 does not authenticate 
to Bob 204 that Alice 202 may be really Alice 202, or vice 
versa. Since Mallory may dispose himself between Bob 204 and 
Alice 202, Mallory may decrypt, examine, and reencrypt passing 
data packets without the knowledge of Bob 204 or Alice 202. 
[0051] A strength of two-way random number exchange 400 of 
Figure 4 lies in its resistance to spoofing, man-in~the- 
middle, and replay attacks. Since any password employed in 
the protocol of two-way random number exchange 400 is never 
sent over the network in the clear, these password cannot be 
picked up directly by Mallory or Eve. Thus, Mallory cannot 
replay an authentication session such as session 400 since the 
other party's nonce is random and Mallory cannot properly 
encrypt it with a password of exchange 400. Spoofing and man- 
in- the-middle attacks may be discovered for the same reason. 
Thus, one way to tackle the problem of proving identity is 
two-way random number exchange such as seen in Figure 4, A 
discussion on two-way random number exchange may be found in 
Gursharan S. Sidhu, et al . , Inside ApoleTalk® at 13-29 to 13- 
30 (1989). 

[0052] Note that the two way communication channel 230 of 
Figure 2 and 348 of Figure 3 are encrypted channels whereas 
the two way communication channel 466 of Figure 4 is 
unencrypted. Thus, it would not be obvious for one having 
ordinary skill in the art to combine the teachings of Figure 2 
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and Figure 3 with that of Figure 4. However, employing 
aspects of the Dif f ie-Hellman key exchange of Figure 2 and 
Figure 3 along with the 2 -Way Random Number Exchange of Figure 
4 leads to surprising results as evidenced by the subsequent 
discussion . 

[0053] Figure 5 illustrates session 500 of the invention. 
Session 500 may include secure key exchange for identification 
and authentication where Alice 502 may be the final verifier. 
Secure key exchange may be viewed as verifying a session key 
after an initial public key exchange. Moreover, 
identification may be viewed as establishing identity and 
authentication may be viewed as verifying identity. 
[0054] In session 500, Alice 502 may store password 506 
as associated with identity 508 at step 510. Identity 508 may 
be any transmittable device by which Alice 502 may be 
recognizable or known to Bob 504. Identity 508 may represent 
Alice 502 herself ("userid = Alice"). Storage by client Alice 
502 may be through memorizing password 506 and identity 508 
within user Alice's own mind. 

[0055] At step 512, server Bob 504 may store password P^ 514 
as associated with identity 516 in a secure location. 
Identity 516 may represent Alice 502, herself ("userid = 
Alice" ) . 

[0056] Where password P^ 506 as associated with identity 508 
equals password P^ 514 as associated with identity 516, 
password P^ 506 and password P^ 514 may be referred to as a 
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shared password. Where this shared password is only known to 
Alice 502 and Bob 504, the shared password may be referred to 
as a shared secret password. The secret password may be 
shared through communication channels other than transmission 
channel 503. Where transmission channel 503 may be the 
Internet^ the communication channel other than transmission 
channel 5 03 may be the domestic or international government 
mail . 

[0057] Alice 502 may generate random number 518 at step 
518. At step 520, Bob 504 may generate random number 522 
and random number 524. Alice's random number 518 and 
Bob's random number R^ 522 may be large, 512-bit random numbers 
and may serve as "private keys" for session 500. Bob's random 
number 524 may serve as a nonce for session 500. A nonce 
may be a random number made and used briefly for a special 
purpose, such as validating one particular step of session 
500. 

[0058] Next, at steps 525 and 528, respectively, Alice 502 
and Bob 504 may use modulus exponentiation on their respective 
private keys R^ 518 and R^ 522 to derive keys that will be 
publicly exchanged. Modulus (mod) exponentiation may be used 
to generate these public keys since exponentiation in modular 
arithmetic may be performed by a computer without generating 
huge intermediate results. 

[0059] To generate public key 526, Alice 502 may set her 
public key 526 equivalent to constant parameter a raised to 
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the exponential power of Alice's private, random key 518, 
modulo parameter Z, Parameter a and parameter S may be known 

to both Alice 502 and Bob 504 and may be prime numbers. A 
prime number may be viewed as an integer greater than the 
number one whose only factors are one and itself such that no 
other number evenly divides that integer. The length of 
parameter a and parameter £ may be at least 512-bits. 
[0060] To generate public key 528, Bob 504 may set his 
public key 528 equivalent to constant parameter a raised to 

the exponential power of Bob's private, random key 522, 
modulo parameter S. Thus, 

= (a)\ mod S (526) 

= {a)\ mod S (528) . 

[0061] Alice 5 02 and Bob 505 may next exchange their 
generated public keys. However, since it may be client Alice 
502 who is seeking authentication from server Bob 504 as a 
prelude to requesting communication services such as service 
request 532, Alice 502 first may transmit identity 508, public 
key 52 6, and service request 532 at step 53 0 to Bob 504. 
[0062] At step 534, Bob 504 may obtain password 514 and 
identity 516 in his user list based on identity 508 received 
from Alice 502 over transmission 53 0. Password P^ 514 may be 
of poor quality such as the low entropy English word "shine.'' 
Bob 504 may have cleartext access to password P^ 514. 
Alternatively, Bob 504 may store password P^ 514 as ciphertext. 
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retrieve as ciphertext, and then decrypt the encrypted 
password to cleartext 514 so as to minimize the amount of 
time password 514 resides as cleartext in Bob 504. Bob 504 
may also decrypt password 514 to cleartext and to several 
other nonce numbers so that the cleartext of password P^ 514 
resides among a list of cleartext nonce numbers of which only 
Bob 504 may know which is password Pg 514. 

[0063] At step 536, Bob 504 may verify that identity 508 
received from Alice 502 equals identity 515 as obtained from 
Bob's user list. If identity 508 does not equal identity 516 
at step 53 6, Alice 502 may be an invalid user as far as Bob 
504 may be concerned and Bob 504 may proceed to step 538. 
[0064] From step 538, Bob 504 may have two options. If Bob 
504 proceeds to step 540, Bob 504 may stop participating in 
session 500. In other words, in response to an invalid user 
attempting access to Bob 504, server Bob 504 may terminate 
session 500. Preferably, server Bob 504 would continue 
session 500 by generating a random password P^ 542 at step 542. 
By continuing session 500 with randomly generated password P^ 
542, Bob 504 may avoid revealing the validity of account names 
stored in the user list of Bob 504. By not revealing the 
validity of account names stored in the user list of Bob 504, 
Bob 504 may not be subject to repeat attacks. 

[0065] If identity 508 does equal identity 516 at step 536, 
Bob 504 may continue at step 544 with session 500. On 
continuing with session 500, Bob 506 may employ modulus 
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exponentiation on Alice's public key 526 at step 546 to 
generate private session key 546 as follows: 

Kb (MJ^ mod S (546) . 

It is assumed that K = K^, thus 

K = K3 = (M^)''b mod S (545) . 

Session key Kg 546 may be a key whose use may be limited to a 
particular session, such as session 500. The order of step 
546 may be changed with step 536, step 534 or step 548 
described below. 

[00661 At step 548, Bob 504 may employ a combining 
function, /, on password 514 (or password 542) and on the 
key exchange pieces of Alice's public key 52 6 and Bob's 
public key 528 to generate high-entropy secret S3 548. 
Similar to the assumption that K = Kg, it is assumed that S = 

[0067] Advantageously, the combining function need not 
encrypt the key exchange pieces (M^ 526 and 528) with 
password 514 according to a standard encryption scheme, such 
as Data Encryption Standard (DES) or Rivest Cipher 4 (RC4) . 
In one embodiment, Bob's combining function, /, combines the 
key exchange pieces with password P^ 514 and hashes the result 
using a one-way hashing algorithm. The use of the three 
variables password P^ 514, public key 52 6, and public key 
Mg 528 may make the output high-entropy secret S^ 548 
session specific, that is, specific to one session such as 
session 500. 
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[0068] The combining function may be any function where the 
input data cannot be determined given the output data . In 
view of this input/output relationship, the combining function 
may be a secure hash. More particularly, the combining 
function may be a one-way hash function. The one-way hashing 
algorithm may be the Secure Hash Algorithm (SHA) or the 
Message Digest 5 {MD5) . A Secure Hash Algorithm (SHA) may be 
called secure because it may be designed to be computationally 
infeasible to recover a message corresponding to a given 
message digest, or to find two different messages that produce 
the same message digest. The one-way hashing algorithm also 
may be Snefru (named after an Egyptian pharaoh) , Nippon 
Telephone and Telegraph Hash (N-Hash) , or Gosudarstvennyl 
Standard (GOST) Soyuza SSR (Government Standard of the Union 
of Soviet Socialist Republics - GOST USSR) . 

[0069] Combining and hashing may result in scattering the 
data bits representing password 514 among the data bits 
representing the key exchange pieces, here, the two random 
numbers of M^ 526 and M^ 528. A benefit of employing a one-way 
hashing algorithm on one or more parts to produce a resulting 
value may be that the resulting value cannot be reverse 
engineered to obtain the original parts. Thus, interception 
of any form of high-entropy secret S^ 548 by Mallory or Eve 
over transmission 503 may not diminish the security of session 
500. 
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[0070] In another ernbodiment , the combining function, 
may combine that value or those values known by both Bob 504 
and Alice 502 and hash the result. In a further embodiment, 
the combining function, /, may hash password 542 into itself 
(for example, S3 = /(P3, P J ) - Moreover, in another errOoodiment , 
the combining function may combine at least one of Alice's 
public key 526 and Bob's public key 528 with password P^ 
542 and hash the result. In another embodiment, high-entropy 
secret 548 may be equal to at least one of those values 
known by both Bob 504 and Alice 502, such as password P^ 542, 
parameter a, or parameter S. 

[0071] In another embodiment, generating high-entropy 
secret 548 may include employing a plurality of combining 
functions, where each of the plurality of combining function 
produces a result. The first combining function may be 
employed on at least one of public key 52 5, password P^ 542, 
and public key M3 528 to produce a result. Each of the 
subsequent combining functions may be employed on sequential 
combining function results and on at least one of public key 
526, password P^ 542, and public key ]\ 528, such that the 
result produced by the last combining function may be high- 
entropy secret 548. Examples include: 

S3 = /(P„ /(P3, M„ M3)) (548), 
Sb = fiK^ /(Pb' /(^A' ^b)) (548), and 

S3 -/(/(/(/ (P3, MJ, /(P3, M,, M3))), /(M3, M3))(548). 
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Although the nomenclature of each combining function is 
illustrated as /, the combining functions need not be the same 
function, such that, for example, 

Sb = /bi(Pb' f.2^K' M„ M3)) (548) . 

[0072] At step 550, Bob 504 may encrypt random number 524 
with high-entropy secret S 548 (recall that it was assumed 
that S = Sg) to obtain encrypted nonce (N^) ^ 550. This 
encryption may be performed using a symmetrical encryption 
algorithm. An example of a symmetrical encryption algorithm 
that may be used is the 56-bit Data Encryption Standard (DES) . 
[0073] At step 552, Bob 504 may superencrypt encrypted 
nonce (N^) g 550 with session key 546 (recall that it was 
assumed that K = K^) to create combining piece ((Ng)^)^. 552. 
Each encryption may be symmetrical. Each encryption may 
incorporate a feedback mechanism. In one embodiment, the 
encryption may employ the block cipher CAST- 12 8 (inventors 
Carlisle Adams and Stafford Tavares) with cipher block 
chaining (CBC) to add a feedback mechanism to the encryption 
device . 

[0074] In an alternate embodiment. Bob 504 may encrypt 
random number 524 first with session key K3 546 and then 
superencrypt encrypted nonce (N^)^ with high-entropy secret 
548 to create combining piece ((Ng)^^. However, the order of 
the encryption as illustrated in steps 550 and 552 (S first 
then K) is preferred for CBC mode encryption since this 
encryption order reduces the opportunity for eavesdropper Eve 
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to conduct an offline attack with substantially known 
plaintext . 

[0075] In an alternate embodiment ^ Bob 504 may encrypt 
random number 524 with password 542 and superencrypt the 
encrypted nonce (Ng)^^ with session key 546 to create the 

combining piece (((Ng)p^)j^ or reverse the order to create the 

combining piece (((Njj,)^^. In another embodiment, step 552 may 

be eliminated and (Ng)^ 550 may be transmitted at step 554. 
[0076] In another embodiment, random number Ng 524 may be 
encrypted with one of public key 525, parameter a, 
parameter public key 528, session key K 546, password 
542, and high-entropy secret S 548. The resulting encrypted 
nonce may be written as (NJ,, where f = M^, a, M^, K, P^, S, 
or any other value that may be known by the parties to session 
500. Encrypted nonce (N^) ^ may be superencrypted with one of 
public key M^^ 526, parameter a, parameter S, public key Mg 528, 

session key K 546, password P3 542, and high-entropy secret S 
548. The resulting superencrypted nonce may be written as 
((Nj,)g, where f = M^, a, M^, K, P^, S, or any other value 

that may be known by the parties to session 500 and g = M^, a, 

&r M3, K, Pg, S, or any other value that may be known by the 
parties to session 500. 

[0077] Where the parties desire to validate session key K3 
546, one of the letters ^^f" and ^^g" may represent session key 
Kg 546 and the other letter may represent one of public key 
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526, parameter a, parameter E, public key 528, session key 
K3 545, password 542, and high-entropy secret S 548 or any 
other value that may be known by the parties to session 500. 
[0078] The superencryption of random number 524 may be 
written as 

where the variable "i = 2" may represent an encryption of an 
encryption and the variable "n" represents the total number of 
encryptions such that n • 2, Each encryption may be to a 
variable taken from the pool of variables known by the parties 
to session 500. 

[0079] The superencryption of random number 524 may be 
where n is greater than one. For example, where n = 3, the 
superencryption of random number 512 may be written as 

[0080] Where the parties desire to validate session key 
546, one of the letters "f", "g", and "h" may represent 
session key K 546 and the other letters may represent one of 
public key 526, parameter a, parameter £, public key 52 8, 
session key K 546, password 542, and high-entropy secret S 
548 or any other value that may be known by the parties to 
session 500. 

[0081] At step 554, Bob 504 may transmit to Alice 502 his 
public half of the key exchange, public key 528, as well as 
transmit the superencrypted nonce identified as combining 
piece {(Njg)^ 552. By transferring his version of the session 
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key K 546 as part of coitibining piece ((Nj,)^ 552 at step 554, 
Bob 504 may start the key verification phase before Alice 502 
has constructed her version of the session key K 556. This 
may be distinguished from known methods which require Bob and 
Alice to possess their version of the session key (K^ and K^) 
prior to beginning the key verification phase. Moreover, 
transferring his version of the session key 546 as part of 
combining piece {(N,),)^ 552 at step 554 permits Bob 504 and 
Alice 502 to conduct key verification and identity 
verification at the same time. 

[0082] On receiving Bob's public key 528, Alice 502 may 
employ modulus exponentiation at step 556 to generate session 
key 556 as follows: 

= (M^)^ mod S (556) 

Where = and = S^, the session keys, and K^, are 

designed to match since K = = = aW mod S. 

[0083] At step 558, Alice 5 02 may employ the combining 

function, /, to combine password 506 with Alice's public key 

526 and Bob's public key 528 to produce high-entropy 
secret S 558. The different embodiments for K in step 546 and 
S in step 548 apply similarly to K in step 556 and S in step 
558. 

[0084] If the combining function or functions, /, used by 
Alice 502 in step 558 is the same as the combining function, 
/, used by Bob 504 in step 548, then authentication will occur 
assuming all else being equal. In other words, if the 
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function and variables employed by Alice 502 in step 558 to 
produce high-entropy secret S 558 are the same as employed by 
Bob 504 in step 548 to produce high-entropy secret S 548, then 
S 558 will equal S 548. 

[0085] At step 560, Alice 502 may decrypt the 
superencrypted nonce received from Bob 504, here combining 
piece ((Njg)^ 552 to obtain 550 such that 

A subscript "A" {or 'Alice') to the subscript "B" (or 'Bob') 
as applied to the random nonce "N" as in may account for the 
fact that Alice's decryption of Bob's random nonce N3 524 may 
not reveal Bob's random nonce 524 in all cases. In other 
words, N3 560 may not always equal N3 524. For example, if 
Alice's 556 does not match Bob's 546 used to encrypt the 
nonce received from Bob 504, then • N^. Moreover, if 
Alice's 558 does not match Bob's 548 used to encrypt the 
nonce received from Bob 504, then N3 • N3. However, we assume 
that they do match as is conventional in the art. 
[0086] At step 562, Alice 502 may generate her own 
verification nonce, random number 562. Steps 556, 558 and 
562 may occur in any order. However, step 560 must be 
completed after steps 556 and 55 8 have been performed. 
[0087] Next, Alice 502 may modify 560 received from Bob 
504 over transmission 554. At step 564, Alice 502 may modify 
N 560 to obtain modified random number N^+l 564. 
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[0088] Modification, such as in step 564, may include any 
simple and effective modification of the nonce in a way that 
may be mutually known by both Alice 502 and Bob 504. 
Modifications to the nonce may include increasing the nonce in 
number, size, quantity, or extent through a positive or 
negative change. The modification may be a slight, barely 
perceptible augmentation such as incrementing by a value of 
one. Moreover, the modification may be one of a series of 
regular additions or contributions to the nonce such as by 
values or functions other than a value of one. Furthermore, 
the modification may be a reordering of the nonce, such as 
inverting or reversing the bits that make up the nonce. 
[0089] After modifying 560 received from Bob 504 over 
transmission 554, Alice 502 may superencrypt her nonce, here 
random number 562, and Bob's modified nonce, here modified 
random number N^+l 564, first with high-entropy secret 558 
at step 566, then with session key 556 at step 568. Alice 
502 may then send the result, 

({N„ N,+l),)„ (568) 
to Bob 504 at step 570. 

[0090] The alternative encryption embodiments discussed in 
connection with step 550 and step 552 apply to steps 566 and 
568 as well. Alternatively, Alice 502 may swap the variables 
N and N„+l and transmit at step 570 ( (N^+l, NJJ^ to Bob 504. 

A B 

However, even though the modified nonce, here N3+I 564, may 
significantly differ from the original nonce, here 560, 
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( (N^, Ng+Dg)^ is preferred since placing random number 552 at 
the beginning of the string to be encrypted may change the 
resulting cipher text that much more when used with a feedback 
mechanism such as cipher block chaining (CBC) . 
[0091] At step 572, Bob 504 may decrypt Alice's 
superencrypted payload ( (N^, N^+DJ^. 568 to extract random 
number 574 and modified random number N^+l 575 received from 
Alice 502, such that 

N,+ l = ((({N,, N,+ l)3)J-^)"3 (572). 

The order of key decryption may be a function of 
superencrypted payload { (N^, Ng+l)^)^. 568. 

[0092] Bob 504 may next verify that Alice 502 did in fact 
correctly modify Bob's random number 524 by determining at 
step 578 whether modified random number N^+l 576 received from 
Alice 502 over transmission 570 less its modification is equal 
to Bob's random number 524. 

[0093] If modified random number N^+l 576 less its 
modification is not equal to Bob's random number 524, Bob 
504 may terminate session 500 at step 579, If this is the 
case, Alice 502 may be an invalid user. It will be 
appreciated that the verification may be achieved by comparing 
modified random number N^+l 57 6 received from Alice 5 02 with a 
similarly modified version of Bob's random number Ng524. 
[0094] Recall that, at step 542, if Alice 502 was not in 
the user list of Bob 504, Bob 504 may generate random password 
Pg 542 and continue session 500 with password 542. 
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Continuing session 500 with password 542 avoids revealing to 
a potential attacker the validity of account names in the user 
list of Bob 504. Thus, if Bob 504 was not able to verify at 
step 536 that identity 508 was part of Bob's user list at step 
536, then modified random number N,+l 576 less its modification 
will not match Bob's random number 524. Only in a hapless 
and very rare circumstance would password 506 match random 
password P^ 542. Regardless of a hapless circumstance, Bob 504 
will remember between steps 538 and 578 that Alice 502 is an 
invalid user such that, even if password P^ 506 match random 
password P3 542, Bob 504 may terminate session 500 at step 579. 
[0095] If modified random number N^+l 57 6 less its 
modification is equal to Bob's random number 524, then Bob 
504 has verified that Alice 502 knows Bob's high-entropy 
secret 548 and has verified that Alice's session key 556 
is equal to Bob's session key 546. If Bob 504 has verified 
that Alice 502 knows high-entropy secret S3 548 at step 57 8, 
Alice 502 is authenticated to Bob 504. Bob 504 may continue 
with session 500 at step 580. 

[0096] From step 580, Bob 504 may have two choices. Bob 
504 may proceed to step 581 and initiate an individually 
secure one way or two way communication link with Alice 502 or 
proceed to step 583 and continue to work towards establishing 
a mutually secure two way communication channel with Alice 
502. 
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[0097] Bob 504 may open a one way or two way communication 
channel with Alice 502 with little risk to Bob 504 since Bob 
504 now has identified Alice 502 (step 544) and authenticated 
the identity of Alice 502 (step 580). In other words. Bob 504 
may now be reasonably certain that it is Alice 502 on the 
other end of transmission 503 and would risk little in 
accepting transmissions from Alice 5 02 or sending 
transmissions to Alice 502. However, Alice 502 has yet to 
identify or even authenticate that it is Bob 5 04 on the other 
end and would risk much to freely receive transmissions from 
Bob 504 or freely send transmissions to Bob 504. 
[0098] A one way communication link may permit Bob 504 to 
receive transmissions from Alice 5 02 but prohibit Bob 504 from 
sending transmissions to Alice 502 or prohibit Alice 502 from 
receiving transmissions from Bob 504. An example of where 
transmissions 582 may be used is in a company that sells 
products in supermarkets. After the remote route salespersons 
have compiled their stocking and removal from stocking 
statistics in a handheld computer, each route salesperson may 
remotely open transmission 582 (such as over a telephone line) 
with the company server to upload stocking statistical data to 
the company server. 

[0099] As noted above, Bob 504 may have two choices from 
step 580. Alternative to proceeding to step 581, Bob 504 may 
proceed to step 583 and continue to work towards establishing 
a mutually secure two way communication channel with Alice 
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502. At step 583, Bob 504 may generate a random string of 
bits identified as initialization vector 583 which may 
optionally be of zero length. Initialization vector 583 (or 
initializing variable or initial chaining value) may be used 
to make the message transmitted over transmission 503 unique 
and thus need not have any meaning outside of transmission 
589. In one embodiment, initialization vector I^ 583 may be a 
time stamp. 

[0100] At step 584, Bob 504 may modify random number 574 
received from Alice 5 02 over transmission 57 0 by modifying 
Alice's random n\imber 574 to obtain N^+1 584. Again, as 
with step 564, Bob 5 04 may modify random number 574 in any 
way that Bob 5 04 and Alice 502 previously agreed upon. Bob 
504 may then superencrypt initialization vector I^ 583 and 
modified random number N^+1 584, first with the high-entropy 
secret 548 at step 586, and then with session key 546 at 
step 566 to produce the result, 

((Ib^ N,+ 1),), (588). 
This order of encryption (S first then K) is preferred for CBC 
mode encryption to reduce the amount of information given to 
eavesdropper Eve. The alternate encryption embodiments 
discussed in connection with steps 566 and 568 also apply to 
steps 586 and 588, 

[0101] At step 589, Bob 504 may transmit the result ( (1^/ 
N^+1)J^ 588 to Alice 502. At step 590, Alice 502 may decrypt 
Bob's superencrypted payload ( (I^, N^+1)J^ 588 to extract 
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initialization vector 591 and modified random number N^+1 
592, such that 

1,591. N,+ l 592 - ((((I,, N,+ 1)JJ"J" . 
[0102] Alice 502 may next verify that Bob 504 did in fact 
correctly modify Alice's random number 562 by determining at 
step 593 whether modified random number N^+1 592 received from 
Bob 504 over transmission 589 less its modification is equal 
to Alice's random number 562. If modified random number 
N^+1 592 less its modification is not equal to Alice's random 
number 562, Alice 502 may terminate session 500 at step 594. 
[0103] Recall that if modified random number N^+l 576 less 
its modification matches random number 524 at step 578, then 
Bob 504 has verified that Alice 502 knows high-entropy secret 
S3 548. Concerning step 595, if modified random number N^+1 
592 less its modification is equal to Alice's random number 
562, Alice 502 may continue session 500 at step 595 since 
Alice 502 has verified that Bob 504 knows high-entropy secret 
558. 

[0104] If verification step 595 is true. Bob 504 may be 
identified and authenticated to Alice 502 so that Alice 502 
may continue at step 595 to step 596. At step 596, Alice 502 
may seek to open a mutually secure, two way communications 
with Bob 504. 

[0105] After transmitting {{I^, N^+Dg)^ 588 to Alice 502 at 
step 589, Bob 504 may continue at step 597 and seek to open a 
mutually secure, two way communications with Alice 502 at step 
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598. Where Alice 502 seeks to open a mutually secure, two way 
communications with Bob 504 and Bob 504 seeks to open a 
mutually secure, two way communications with Alice 502, 
mutually secure two way communication channel 599 may be 
established. 

[0106] Unlike cleartext authentication, an embodiment of 
the invention does not provide Bob 504 with the secret 
password 506 at any time during or at the end of exchange 
500. Moreover, at the end of session 500, Alice 502 now knows 
that Bob 5 04 knew secret password 506 at the start of 
session 500. 

[0107] As an exchange protocol, session 500 resists man-in- 
the-middle and replay attacks due to the combination of two 
random numbers with the shared password, as well as resists 
spoofed server, spoofed client, and eavesdropping attacks. 
Moreover, session 500 exhibits perfect backward secrecy and 
resists "session" key compromise. 

[0108] Symmetrical super encrypt ion of a random nonce with 
high-entropy secret 548 as one of the keys works to provide 
more security than employing a single encryption with low- 
entropy shared password P^ 514. This may be due in part to the 
incorporation of random numbers into the key. Moreover, the 
superencryption may employ variables (M^ 52 6 and M^ 528) that 
are tied closely into the particular transmission exchange. 
Because M^ 52 6 and M^ 528 are random and specific to this 
particular session 5 00, the random number transmitted over 
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transmission 503, here combining piece {{N^)s)k 552, is also 
very specific to a single, one way transmission 554 in a 
single session 500. Since a single, one way transmission 554 
in a single session 500 will not reoccur in session 500, 
session 500 provides more security by working against replay 
attacks. Moreover, due to the unpredictable possibilities of 
Alice's and Bob's public keys, 526 and 528 respectively, 
and Mallory's lack of knowledge of password 506, password 
514 (or password P^ 542), Mallory cannot generate either of 
high-entropy secret 548 or high-entropy secret 558. 
Where Mallory cannot generate high-entropy secret S, session 
500 works against man-in- the-middle attacks. 

[0109] Figure 6 illustrates session 600 of the invention. 
Recall that session 500 may include secure key exchange and 
authentication where Alice 5 02 may be the final verifier. 
Session 600 of Figure 6 may include secure key exchange and 
authentication where Bob 604 may be the final verifier. 
[0110] In session 600, Alice 602 may store password P^ 606 
as associated with identity 608 at step 610. Identity 608 may 
be any transmittable device by which Alice 602 may be 
recognizable or known to Bob 604. Identity 608 may represent 
Alice 602, herself ("userid = Alice"). Storage by client 
Alice 602 may be through memorizing password P^ 606 and 
identity 608 within her own mind. 

[0111] At step 612, Bob 604 may store password P^ 614 as 
associated with identity 616 in a secure location. Identity 
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616 may represent Alice 602, herself ("userid = Alice"). 
Where password 606 as associated with identity 608 equals 
password 614 as associated with identity 616, password P^ 
606 and password P^ 614 may be referred to as a shared 
password. Where this shared password is only known to Alice 
602 and Bob 504, the shared password may be referred to as a 
shared secret password. 

[0112] At step 618, Alice 602 may generate random number 
620 and random nonce or number 622. Generating random nonce 

622 this early in session 600 permits Alice 602 to verify 
Bob 604 within two transmissions (here transmissions 636 and 
664) such that Alice 602 may have the first informed 
opportunity to break off communications with server Bob 604. 
In comparison, Alice 502 only generated random number 518 at 
this similar step in session 500, This may work to give Bob 
504 the first informed opportunity in session 500 to break off 
communications with Alice 502. 

[0113] At step 624, Bob 604 may generate random number R^ 
626 and random number 628. Alice's random number R^ 620 and 
Bob's random number R^ 626 may be large, 512-bit random numbers 
and may serve as private keys for this session. Alice's 
random number 622 and Bob's random number 62 8 may serve 
as nonces for session 500. It is to be understood that random 
numbers 622, R^ 62 0, 62 8 and R^ 62 6 may be computed at any 
time prior to their first use, for example, random number 
628 may be computed between steps 658 and 660. 
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[0114] To generate public key 630 at step 630, Alice 602 
may set her public key 630 equivalent to constant parameter 

raised to the exponential power of Alice's private, random 
keyR^ 620, modulo parameter S^. To generate public key 632 
at step 632, Bob 604 may set his public key 632 equivalent 
to parameter raised to the exponential power of Bob's 
private key 614, modulo parameter S^. Thus, 

= {aj\ mod (630) 

M3 - (a3)''B mod S3 (632) . 

[0115] At step 634, Alice 602 may encrypt random number 
622 with password 606 to obtain encrypted random nonce (N^)p^ 

634. Alternatively, Alice 602 may superencrypt random number 
N 622 with password 606 and at least one other variable 

A J- A 

known to both Alice 602 and Bob 604 or perform other 
encryption variations on random number 622 and password P^ 
606 as discussed in connection with step 550 and step 552 of 
Figure 5 . 

[0116] Encrypting random number 622 with password P^ 606 
works to accelerate the key verification phase so that the key 
verification phase may start with Alice 602 of Figure 6 rather 
than Bob 504 of Figure 5. 

[0117] In encrypting random number 622 with password P^ 
606, step 630 is distinguished from Encrypted Key Exchange 
(EKE - U.S. 5,241,599) in that encrypted random number 622 
is not based on a first signal such as random number 620, 
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In other words, EKE would encrypt public key 63 0 with 
password 606 whereas the present embodiment encrypts random 
number 622 with password 605. 

[01181 Encrypting random number 622 with password P^ 605 
works to ensure that password P^ 606 is not sent over 
transmission 603 in the clear and that password P^ 605 encrypts 
a completely meaningless, random value, here random number 
622. Thus, even though password P^ 606 may be a low entropy 
shared secret, encrypting random number 622 with password P^ 
606 works to protect against offline password attacks. In 
addition, encrypting random number 622 with password P^ 606 
works to permit the key verification and the identity 
verification to be conducted at the same time. 
[0119] At step 636, Alice 602 may transmit identity 608, 
public key (N^ )p 634, encrypted random nonce (N^)p^ 634, and 

service request 538 to Bob 604. By transmitting public key 
53 0 at step 63 6, the key verification phase may start well 
before Bob 604 even defines his version of the session key at 
step 654. 

[0120] At step 640, Bob 604 may obtain password P^ 614 and 
identity 616 from his user list based on identity 508 received 
from Alice 602 over transmission 635. The discussion in 
connection with password P^ 514 of Figure 5 also applies to 
password P^ 614 of Figure 6. 

[0121] At step 640, Bob 604 may verify that identity 608 
received from Alice 502 equals identity 516 as obtained from 
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Bob's user list. If identity 608 does not equal identity 616 
at step 640, Alice 602 may be an invalid user as far as Bob 
604 may be concerned and Bob 604 may proceed to step 644. At 
step 644, Bob 604 may end session 600 at step 646 or continue 
with session 600 and generate random password 548 at step 
648. The discussion in connection with step 542 of Figure 5 
also applies to step 648 of Figure 6. 

[0122] If identity 608 does equal identity 616 at step 642, 
Bob 604 may continue at step 650 with session 600. On 
continuing with session 600, Bob 606 may decrypt encrypted 
random nonce (N^)p^ 634 to obtain random nonce 652, such that 

[0123] Bob 606 next may employ modulus exponentiation on 
Alice's public key 63 0 at step 654 to generate private 
session key 646 as follows: 

= mod &^ (654) . 

[0124] At step 656, Bob 604 may employ a combining 
function, f^, on password P3 614 (or password 648) and on the 
key exchange pieces of Alice's public key 630 and Bob's 
public key 632 to generate high-entropy secret 656. The 
discussion in connection with step 548 of Figure 5 is 
applicable to step 656 of Figure 6. In other words, Bob 604 
may employ alternate embodiments with different combining 
functions as discussed in connection with step 548 of session 
500. Steps 652, 654, and 65 6 may be performed in any order. 



Application 



41 



Attny Docket 04860P2441 



[0125] At step 658, Bob 604 may modify 652 to obtain 
modified random number 658. The discussion on 

modification techniques in connection with step 564 of Figure 
5 is applicable to step 658 in Figure 6. 

[0126] After modifying 652 received from Alice 602 over 
transmission 63 6, Bob 604 may superencrypt his random number 
628, and Alice's modified random number N^+1 658, first with 
high-entropy secret 656 at step 660, then with session key 
Kg 654 at step 662 to produce the result 

((N,, N,+ 1)J, (662). 
The alternative encryption embodiments discussed in connection 
with step 586 and step 588 of Figure 5 apply to steps 660 and 
662 of Figure 6 as well. 

[0127] At step 664, Bob 604 may transmit Bob's public key 
632 and the resulting ciphertext ( (N^, N^+1)J^ 662 to Alice 
602. 

[0128] On receiving Bob's public key 632, Alice 602 may 
employ modulus exponentiation at step 665 to generate Alice's 
version of the session key as follows: 

K = = (MJ\ mod \ (665) . 

[0129] Alice 602 next may employ the combining function, /, 
to generate Alice's version of the high-entropy secret. At 
step 668, Alice may combine password 606 with Alice's public 
key 630 and Bob's public key 632 to produce high-entropy 
secret 668. Similar to step 558 of Figure 5, if the 
function and variables employed by Alice 602 in step 668 to 
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produce high-entropy secret 668 are the same as employed by 
Bob 604 in step 656 to produce high-entropy secret S3 656, then 

668 will equal 656 such that this common high-entropy 
secret is shared by both Alice 602 and Bob 604. 
[0130] At step 670, Alice 602 may decrypt Bob's 
superencrypted payload ( (N^, N^+1)s)k 662 to obtain 672 and 
N^+1 674 by reversing the order of encryption employed by Bob 
604 at steps 660 and 662. 

[0131] Alice 602 may next verify that Bob 604 did in fact 
correctly modify Alice^s random number 622 by determining at 
step 676 whether modified random number N^+1 674 received from 
Bob 604 over transmission 664 less its modification is equal 
to Alice's random number 622. The discussion on 
verification techniques in connection with step 578 of Figure 
5 is equally applicable to step 676. 

[0132] If modified random number 674 less its 

modification is not equal to Alice's random number 622, 
Alice 602 may terminate session 600 at step 677. If modified 
random number N^+1 674 received from Bob 604 over transmission 
664 less its modification is equal to Alice's random number 
622, Alice 602 may continue to step 678. 

[0133] From step 678, Alice 602 may have two choices. 
Alice 602 may proceed to step 679 and initiate an individually 
secure one way or two way communication link with Bob 604 or 
proceed to step 681 and continue to work towards establishing 
a mutually secure two way communication channel with Bob 604. 
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[0134] Alice 602 may open a one way or two way 
coinmunication channel with Bob 604 with little risk to Alice 
602 since Alice 602 has now verified that Bob's version of 
their shared secret 614 matches Alice's version P^606. In 
other words, Alice 602 may now be secure that it is Bob 604 on 
the other end of transmission 603 and would risk little in 
accepting transmissions from Bob 604 or sending transmissions 
to Bob 604. However, although Bob 604 may have identified 
Alice 602 at step 650, Bob 604 has yet to authenticate that it 
is Alice 602 on the other end of transmission 603 and would 
risk much to freely receive transmissions from Alice 602 or 
freely send transmissions to Alice 602, 

[0135] A one way communication link may permit Alice 602 to 
receive transmissions from Bob 604 but prohibit Alice 602 from 
sending transmissions to Bob 604 or prohibit Bob 604 from 
receiving transmissions from Alice 602. An example of where 
transmissions 580 may be used is to securely stream Moving 
Picture Experts Group 1 (MPEG-1) audio layer 3 (MP3) 
compressed music specifically to Alice 602 from Bob 604 over 
transmission 603 once one way communication 680 is 
established. 

[0136] Alternative to proceeding to step 679, Alice 602 may 
proceed to step 681 and continue to work towards establishing 
a mutually secure two way communication channel with Bob 604. 
At step 681, Alice 602 may generate initialization vector 
681. Alice 602 then may modify random number 672 at step 
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682. Again, as with step 554 of Figure 5, Alice 602 may modify 
random number 672 in any way that Bob 604 and Alice 602 
previously agreed upon. 

[0137] Alice 602 may then superencrypt initialization 
vector 681 and modified random number N^+l 682, first with 
the high-entropy secret 668 at step 683, and then with 
session key 665 at step 684 to produce the result, 

((I.. N^+l)^), (684 
The alternate encryption embodiments discussed in connection 
with steps 566 and 568 of Figure 5 also apply to steps 683 and 
684 of Figure 6. At step 685, Alice 602 may transmit the 
result (d^, N3+I),), 684 to Bob 604. 

[0138] At step 686, Bob 604 may decrypt Alice's 
superencrypted payload ( (I^, N3+1)J^ 684 to extract 
initialization vector 687 and modified random number N^+l 
688. Bob 604 may next verify at step 690 whether modified 
random number N^+l 688 received from Alice 602 over 
transmission 685 less its modification is equal to Bob's 
random number 628. If modified random number N^+l 688 less 
its modification is not equal to Bob's random number 62 8, 
Bob 504 may terminate session 600 at step 692. As was the 
case in the discussion with reference to step 579 of Figure 5, 
in a hapless case, Bob 604 will remember between steps 648 and 
690 that Alice 602 is an invalid user and may accordingly 
terminate the session at step 692. 
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[01391 If modified random number N^+l 688 less its 
modification is equal to Bob's random number 62 8, Bob 604 
may continue session 600 at step 693 since Bob 604 has 
verified that Alice 602 knows high-entropy secret 656. 
Verifying that Alice 602 knows high-entropy secret 656 
authenticates Alice 602 to Bob 604 (as well as identifies 
Alice 602 to Bob 604) . Alice 602 may have been identified to 
Bob 604 at step 650 as well. Thus, if verification step 693 
is true, Alice 602 may be identified and authenticated to Bob 
604 so that Bob 604 may continue at step 693 to step 694. At 
step 694, Bob 604 may seek to open a mutually secure, two way 
communications with Alice 502. 

[0140] After transmitting ((1^, N^+Dg)^ 684 to Bob 604 at 
step 685, Alice 602 may continue at step 695 and seek to open 
a mutually secure, two way communications with Bob 604 at step 
698. Where Bob 604 seeks to open a mutually secure, two way 
communications with Alice 602 and Alice 602 seeks to open a 
mutually secure, two way communications with Bob 504, mutually 
secure two way communication channel 699 may be established. 
[0141] Embodiment 500 of Figure 5 may be used in situations 
where it may be more important for the server to have the 
first opportunity to break off communications, such as a false 
client situation. For example, servers hosting web pages of 
ebay.com, yahoo.com, the United States White House, the United 
States Pentagon, presidential candidates, and radio talk show 
hosts may want to employ embodiment 500 so as to have the 
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first opportunity to break off communications (step 580 of 
Figure 5) during repeat attacks that attempt to overload these 
web sites with requests so as to shut them down. 
[0142] Session 500 of Figure 5 may be based on the Diffie- 
Hellman key exchange. However, any suitable key exchange 
protocol will work. For example. Fast Elliptical Encryption 
(FEE - see U.S. 5,463,690, U.S. 5,159,632, and U.S. 
5,271,061), Communications Setup (COMSET) , Shamir's three-pass 
protocol, and Tatebayashi -Mat suzaki -Newman key exchange 
algorithms may be substituted for the Dif f ie-Hellman key 
exchange in session 500. Substituting a different key 
exchange protocol may involve replacing the computations of 
steps 526, 528, 546, and 556 with those computations 
applicable to the particular protocol. 

[0143] Embodiment 600 of Figure 6 may be used in situations 
where it may be more important for the client to have the 
first opportunity to break off communications, such as a false 
server situation. For example, a server hosting an electronic 
store may want to employ embodiment 600 to allow their 
customers passing their credit card number over the Internet 
to have the first opportunity to break off communications 
(step 678 of Figure 6) . This may instill in the customer a 
greater sense of security in conducting transactions over the 
Internet . 

[0144] One of the advantages of session 600 is that session 
600 includes three transmissions over transmission network 
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603, which is two network transmissions less than Diffie- 
Hellman key exchange 2 00 /verification 3 00 of Figure 2 and 
Figure 3 above. Moreover, although Figure 6 incorporates 
aspects of the Dif f ie-Hellman key exchange, any suitable key 
exchange protocol may be substituted into Figure 6. This may 
require appropriate substitutions in the computations of steps 
630, 632, 654, and 665. 

[0145] Session 500 and session 600 may be altered in that a 
step may be added after the false verification steps (538, 
579, 594, 644, 677, and 692) that returns the session to a 
prior step, such as the beginning of each session. This 
return step may be limited to two or three returns before 
ending the communication session. 

[0146] In the above client-server model embodiments of 
Figure 5 and Figure 6, Alice may represent a client seeking to 
authenticate to Bob to request services. However, Bob may be 
a client and Alice may be a server so that server-client 
models, server-server models, or client-client models also are 
encompassed within the scope of the subject matter of the 
claimed tei^s . Employing more than two parties per model 
(such as including at least one the parties of Carol and Dave) 
also may be encompassed within the scope of the subject matter 
of the claimed terms. 

[0147] Figure 7 illustrates an embodiment of the invention 
employed in Internet 700. Internet 700 may be any global 
information system that may be logically linked together by a 
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globally unique address space based on an Internet Protocol 
(IP) or its subsequent extensions /follow-ons and may be able 
to support coinmunications using the Transmission Control 
Protocol /Internet Protocol (TCP/IP) suite or its subsequent 
extensions /follow-ons, and/or other IP-compatible protocols. 
In one embodiment, Internet 7 00 may provide, use or make 
accessible, either publicly or privately, high level services 
layered on the communications and related infrastructure - 
[0148] Internet 7 00 may include client computer systems 
7 08, 710, 712, and 714 and server computer system 718 coupled 
to World Wide Web (WWW) 7 02. Client access to World Wide Web 
7 02 may be provided by Internet Service Providers (ISPs) , such 
as ISP 704 and ISP 706. Users on client computer systems, 
such as clients 708, 710, 712, and 714, may be unrestricted 
public members and may obtain access to World Wide Web 702 
through Internet Service Providers, such as ISP 7 04 and ISP 
706. Access to World Wide Web 702 may allow users of clients 
708, 710, 712, and 714 to receive, view, and interact with Web 
pages. These Web pages may be provided by Web server systems, 
such as Web server system 716. Web server system 716, like 
ISP 7 04 and ISP 706, may be considered to be '"on" World Wide 
Web 702. Often, these Web server systems are provided by the 
ISPs themselves, such as ISP 704, although a computer system 
may be set up and connected to World Wide Web 7 02 as part of 
Internet 700 without that computer system being also an ISP. 
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[0149] Web server system 716 may be at least one computer 
system that operates as a server computer system and may be 
configured to operate with the protocols of World Wide Web 7 02 
as part of Internet 700. For example, web server system 716 
may be server Bob 504 of Figure 5 or server Bob 604 of Figure 
6. Optionally, Web server system 716 of Figure 7 may be part 
of an ISP that provides access to World Wide Web 7 02 client 
systems. Web server system 716 may be coupled to server 
computer system 718, where server computer system 718 itself 
may be coupled to other devices, such as order form 711. 
Order form 711 may involve putting together a shopping order 
for consumer products. 

[0150] It will be appreciated that while two computer 
systems (716 and 718) are shown in Figure 7, Web server system 
716 and server computer system 718 may be one computer system 
having different software components providing the Web server 
functionality and the server functionality provided by server 
computer system 718. This will be described further below in 
connection with Figure 8 . 

[0151] Internet symbiosis may be thought of as a close, 
prolonged association between two or more different Internet 
organisms of the same or different species that may, but does 
not necessarily, benefit each member. ISP 704 may provide 
Internet symbiosis such as World Wide Web connectivity to 
client computer system 708 through modem interface 720. Modem 
interface 72 0 may be considered separate or apart from client 
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computer system 708. In a similar fashion, ISP 706 may 
provide Internet symbiosis for client computer systems 710, 
712, and 714. 

[0152] Although client computer systems 710, 712, and 714 
may be in relationships of mutual benefit with or dependence 
upon World Wide Web 702 similar to client computer system 708, 
the connections need not be the same for client computer 
systems 710, 712, and 714 as shown in Figure 7. Client 
computer system 710 may be coupled through modem interface 722 
while client computer systems 712 and 714 may be part of a 
Local Area Network (LAN) . The LAN may include network 
interfaces 724 and 726, LAN connections 728, and gateway 
computer system 730. Network interfaces 724 and 726 may be 
Ethernet network or other network interfaces. Client computer 
systems 712 and 714 may be coupled to LAN connections 728 
through network interfaces 724 and 726. To provide firewall 
and other Internet related services for the local area 
network, LAN connections 72 8 may be further coupled to gateway 
computer system 730. Gateway computer system 730, in turn, 
may be coupled to ISP 706 to provide Internet symbiosis to the 
client computer systems 712 and 714. 

[0153] Client computer systems 708, 710, 712, and 714 may 
each view Hyper Text Markup Language (HTML) pages or other 
digital media provided by the Web server system 716 when 
provided with the appropriate Web browsing software. These 
client computer systems may be a personal computer system, a 
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network computer, a WebTV system, a wireless system, or other 
network enabled computing device. Moreover, gateway computer 
system 73 0 may be, for example, a conventional server computer 
system. Also, Web server system 716 may be a conventional 
server computer system. And, although Figure 7 shows 
interfaces 720 and 722 as ""modems," it will be appreciated 
that each of these interfaces may be an analog modem. 
Integrated Services Digital Network (ISDN) modem, cable modem, 
cellular or other wireless interface, satellite transmission 
interface (for example, "DirectPC'O , or other interface to 
couple a computer system to other computer systems. 
[0154] Figure 8 shows one example of conventional computer 
system 800. Computer system 800 may be used, for example, as 
client computer systems 7 08, 710, 712, and 714, Web server 
system 716, or server computer system 718 of Figure 7. It 
will also be appreciated that such a computer system may be 
used to perform many of the functions of an Internet Service 
Provider, such as ISP 704 or ISP 706. 

[0155] Computer system 800 may interface with external 
systems through the modem or network interface 802. Modem or 
network interface 802 may be considered to be part of computer 
system 800 and may be an analog ISDN or cable modem, Ethernet 
or Token Ring interface, wireless or infrared transceiver, 
satellite transmission interface (for example, ''DirectPC" ) , or 
other interface to couple a computer system to other computer 
systems. Computer system 800 may include processor 804, which 
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may be a conventional microprocessor such as an Intel Pentium 
microprocessor or Motorola PowerPC microprocessor or may be a 
large, central processing unit as found in International 
Business Machine (IBM) mainframes. Memory 806 may be coupled 
to processor 804 through system bus 808. System bus 808 also 
may couple mass storage 810, display controller 812, and 
input/output (I/O) controller 814 to processor 804 and memory 

806, as well as to each other. Computer system 800 
alternatively may couple mass storage 810 and modem or network 
interface 802 to system bus 808 via I/O controller 814 such 
that mass storage 810 and modem or network interface 802 may 
be part of I/O devices 818. 

[0156] Memory 806 may be dynamic random access memory 
(DRAM) and may also include static RAM (SRAM) and read-only 
memory (ROM) . Within memory 806 may be executable programs 

807. Memory 806 may be a distributed readable storage medium 
containing executable computer program instructions which, 
when executed, cause at least one of a client computer system 
and a server computer system to perform a key exchange and 
authentication as set out in Figure 5 or Figure 6. Memory 806 
also may be a computer readable storage medium containing 
executable computer program instructions which, when executed, 
cause server computer system 718 to perform a key exchange and 
authentication as set out in Figure 5 or Figure 6. 

[0157] Display controller 812 may control in the 
conventional manner a display on a display device 815. 
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Display device 816 may be a cathode ray tube (CRT) , liquid 
crystal display, or other display. The input /output (I/O) 
devices 818 may be coupled to I/O controller 814 and may 
include keyboard 822, disk drives, printers, a scanner, and 
other input or output devices, including mouse 824 or other 
pointing device. Display controller 812 and I/O controller 
814 may be implemented with conventional, well-known 
technology. Digital image input device 82 0 may be a digital 
camera coupled to I/O controller 814 to allow images from the 
digital camera to be input into computer system 800. Mass 
storage 810 may be a magnetic hard disk, an optical disk, or 
another form of storage for large amounts of data. Some of 
this data may be written into memory 806 by a direct memory 
access process during execution of software in computer system 
800. 

[0158] It will be appreciated that computer system 800 may 
be one example of many possible computer systems that have 
different architectures. For example, personal computer 
systems often have multiple buses, one of which may be 
considered to be a peripheral bus. Network computers may also 
be considered to be a computer system that may be used with 
the present invention. Network computers need not include a 
hard disk or other mass storage while executable programs 807 
may be loaded from a network connection into memory 806 for 
execution by processor 804. A WebTV system or other embedded 
computing device may be considered to be a computer system 
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according to the present invention, even though it excludes 
certain features shown in Figure 8, such as certain input or 
output devices . 

[0159] A computer system may include at least a processor, 
memory, and a bus coupling the memory to the processor. 
Operating system software that may control computer system 80 0 
may include a file management system, such as a disk operating 
system, which may be part of the operating system software. 
The file management system may be stored in mass storage 810 
and causes processor 804 to execute the various operations 
required by the operating system to input or output data and 
to store data in memory, including storing files on mass 
storage 810. 

[0160] In operation, computer system 800, acting as server 
computer system 718 through an application program 807, may 
place pages 900 of Figure 7 at the disposal of client computer 
systems 708, 710, 712, and/or 714. Pages 900 preferably are 
originated by executable programs 807 of Figure 8. In a 
preferred embodiment, pages 900 include one or more Web pages 
that request at least one of user identification 902 or 
password 904. Processor 804 may generate pages 900 as files 
containing at least one device for entry or selection of at 
least one of user identification 902 or password 904 using a 
browser at client computer systems 708, 710, 712, and/or 714. 
Processor 804 may then transmit these files through the 
network of Internet 7 00 to client computer systems 7 08, 710, 
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712, and/or 714 illustrated in Figure 7. 

[0161] The logical operations required to distribute or 
bring pages 900 to the computer screen of a client are 
conventional. To begin, a consumer may send a request for 
pages 900 to server computer system 718 using a browser at 
client computer systems 708, 710, 712, and/or 714. Server 
computer system 718 may contain executable programs 807 that 
may be adapted to generate the files containing at least one 
device for entry or selection of at least one of user 
identification 902 or password 904, The request from the 
client or user may contain the address of the server, here 
server computer system 718, and the subaddress of the program 
file at the server, here executable programs 807. In Internet 
protocol, this complete address may be a locator string that 
may be referred to as the uniform resource locator (URL) . 
[0162] The user may send the request by entering the 
desired locator string in the browser URL space provided on 
pages 900. Alternatively, the client may depress an 
electronic link button illustrating a mark such as a 
trademark. The electronic link button may be located on one 
of several Web pages and may be programmed to enter the 
desired locator string in the browser URL space of the client. 
[0163] On receiving the request, server computer system 718 
may invoke executable programs 807 to build the HTML page file 
and send the HTML page file to the browser that requested the 
Web page. On receiving the HTML page file, client computer 
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systems 708, 710, 712, and/or 714 may store the file in memory 
806 and use this stored file to build and display Web pages 
900 on display 816 of the client computer system. 
[0164] The exemplary embodiments described herein are 
provided merely to illustrate the principles of the invention 
and should not be construed as limiting the scope of the 
subject matter of the terms of the claimed invention. The 
principles of the invention may be applied toward a wide range 
of systems to achieve the advantages described herein and to 
achieve other advantages or to satisfy other objectives, as 
well . 
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